clud-bug 0.6.22 → 0.6.24

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clud-bug",
-  "version": "0.6.22",
+  "version": "0.6.24",
   "description": "Skill-driven Claude PR review. Ship a brand-voice skill, get brand reviews. Each finding cites the skill that motivated it. CLI installs the workflow + a baseline kit; add more from skills.sh.",
   "homepage": "https://cludbug.dev",
   "bugs": "https://github.com/thrillmade/clud-bug/issues",

package/templates/workflow-py.yml.tmpl

@@ -15,6 +15,7 @@ jobs:
     outputs:
       is_workflow_only: ${{ steps.classify.outputs.is_workflow_only }}
       model: ${{ steps.classify.outputs.model }}
+      max_turns: ${{ steps.classify.outputs.max_turns }}
     steps:
       - name: Classify PR diff
         id: classify
@@ -27,8 +28,13 @@ jobs:
           CHANGED=$(gh pr diff "$PR_NUMBER" -R "$REPO" --name-only)
           MODEL=claude-sonnet-4-6
           if [ -z "$CHANGED" ]; then
-            echo "is_workflow_only=false" >> "$GITHUB_OUTPUT"
-            echo "model=$MODEL" >> "$GITHUB_OUTPUT"
+            # v0.6.23 / §5: max_turns must always be emitted — see workflow.yml.tmpl for design notes.
+            # Grouped redirect (v0.6.24) silences the SC2129 style warning.
+            {
+              echo "is_workflow_only=false"
+              echo "model=$MODEL"
+              echo "max_turns=15"
+            } >> "$GITHUB_OUTPUT"
             exit 0
           fi
           IS_WORKFLOW_ONLY=true
@@ -75,6 +81,23 @@ jobs:
           fi
           echo "model=$MODEL" >> "$GITHUB_OUTPUT"
 
+          # Adaptive max-turns (v0.6.23 / §5) — see workflow.yml.tmpl for design notes.
+          MAX_TURNS=15
+          if [ "$IS_TRIVIAL" = "true" ]; then
+            MAX_TURNS=10
+          else
+            FILE_COUNT=$(echo "$CHANGED" | wc -l | tr -d ' ')
+            THREAD_COUNT=$(gh api graphql -f query='{repository(owner:"'"$(echo "$REPO" | cut -d/ -f1)"'",name:"'"$(echo "$REPO" | cut -d/ -f2)"'"){pullRequest(number:'"$PR_NUMBER"'){reviewThreads(first:50){nodes{isResolved comments(first:1){nodes{author{login}}}}}}}}' --jq '[.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false and (.comments.nodes[0].author.login == "claude" or .comments.nodes[0].author.login == "claude[bot]"))] | length' 2>/dev/null || echo 0)
+            THREAD_COUNT=${THREAD_COUNT:-0}
+            if [ "$FILE_COUNT" -ge 30 ] || [ "$THREAD_COUNT" -ge 6 ]; then
+              MAX_TURNS=40
+            elif [ "$FILE_COUNT" -ge 10 ] || [ "$THREAD_COUNT" -ge 3 ]; then
+              MAX_TURNS=25
+            fi
+            echo "::notice title=Clud Bug 🐛::Turn budget: $MAX_TURNS ($FILE_COUNT files, $THREAD_COUNT prior threads)."
+          fi
+          echo "max_turns=$MAX_TURNS" >> "$GITHUB_OUTPUT"
+
   clud-bug-review:
     needs: paths-check
     if: needs.paths-check.outputs.is_workflow_only != 'true'
@@ -85,6 +108,9 @@ jobs:
       id-token: write
       # checks: write — composite emits per-skill check-runs (BB.3).
       checks: write
+      # v0.6.24: `actions: read` (added in v0.6.23) backed out — broke
+      # `pull_request` trigger firing on private consumer repos. See
+      # workflow.yml.tmpl for the diagnosis.
 
     steps:
       - uses: actions/checkout@v6
@@ -147,7 +173,7 @@ jobs:
           # structured output; post-step renders + posts. See workflow.yml.tmpl for design notes.
           claude_args: |
             --model ${{ needs.paths-check.outputs.model }}
-            --max-turns 15
+            --max-turns ${{ needs.paths-check.outputs.max_turns }}
             --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(git diff:*),Bash(git merge-base:*),Bash(cat .claude/skills/.clud-bug.json),Bash(cat .claude/skills/*/SKILL.md),Bash(head:*)"
             --json-schema '{{REVIEW_SCHEMA}}'
           prompt: |
@@ -190,7 +216,7 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.22
+        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.24
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # v0.6.22 / 0.0.O: summary now posted by github-actions[bot].

package/templates/workflow-ts.yml.tmpl

@@ -15,6 +15,7 @@ jobs:
     outputs:
       is_workflow_only: ${{ steps.classify.outputs.is_workflow_only }}
       model: ${{ steps.classify.outputs.model }}
+      max_turns: ${{ steps.classify.outputs.max_turns }}
     steps:
       - name: Classify PR diff
         id: classify
@@ -27,8 +28,13 @@ jobs:
           CHANGED=$(gh pr diff "$PR_NUMBER" -R "$REPO" --name-only)
           MODEL=claude-sonnet-4-6
           if [ -z "$CHANGED" ]; then
-            echo "is_workflow_only=false" >> "$GITHUB_OUTPUT"
-            echo "model=$MODEL" >> "$GITHUB_OUTPUT"
+            # v0.6.23 / §5: max_turns must always be emitted — see workflow.yml.tmpl for design notes.
+            # Grouped redirect (v0.6.24) silences the SC2129 style warning.
+            {
+              echo "is_workflow_only=false"
+              echo "model=$MODEL"
+              echo "max_turns=15"
+            } >> "$GITHUB_OUTPUT"
             exit 0
           fi
           IS_WORKFLOW_ONLY=true
@@ -75,6 +81,23 @@ jobs:
           fi
           echo "model=$MODEL" >> "$GITHUB_OUTPUT"
 
+          # Adaptive max-turns (v0.6.23 / §5) — see workflow.yml.tmpl for design notes.
+          MAX_TURNS=15
+          if [ "$IS_TRIVIAL" = "true" ]; then
+            MAX_TURNS=10
+          else
+            FILE_COUNT=$(echo "$CHANGED" | wc -l | tr -d ' ')
+            THREAD_COUNT=$(gh api graphql -f query='{repository(owner:"'"$(echo "$REPO" | cut -d/ -f1)"'",name:"'"$(echo "$REPO" | cut -d/ -f2)"'"){pullRequest(number:'"$PR_NUMBER"'){reviewThreads(first:50){nodes{isResolved comments(first:1){nodes{author{login}}}}}}}}' --jq '[.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false and (.comments.nodes[0].author.login == "claude" or .comments.nodes[0].author.login == "claude[bot]"))] | length' 2>/dev/null || echo 0)
+            THREAD_COUNT=${THREAD_COUNT:-0}
+            if [ "$FILE_COUNT" -ge 30 ] || [ "$THREAD_COUNT" -ge 6 ]; then
+              MAX_TURNS=40
+            elif [ "$FILE_COUNT" -ge 10 ] || [ "$THREAD_COUNT" -ge 3 ]; then
+              MAX_TURNS=25
+            fi
+            echo "::notice title=Clud Bug 🐛::Turn budget: $MAX_TURNS ($FILE_COUNT files, $THREAD_COUNT prior threads)."
+          fi
+          echo "max_turns=$MAX_TURNS" >> "$GITHUB_OUTPUT"
+
   clud-bug-review:
     needs: paths-check
     if: needs.paths-check.outputs.is_workflow_only != 'true'
@@ -85,6 +108,9 @@ jobs:
       id-token: write
       # checks: write — composite emits per-skill check-runs (BB.3).
       checks: write
+      # v0.6.24: `actions: read` (added in v0.6.23) backed out — broke
+      # `pull_request` trigger firing on private consumer repos. See
+      # workflow.yml.tmpl for the diagnosis.
 
     steps:
       - uses: actions/checkout@v6
@@ -147,7 +173,7 @@ jobs:
           # structured output; post-step renders + posts. See workflow.yml.tmpl for design notes.
           claude_args: |
             --model ${{ needs.paths-check.outputs.model }}
-            --max-turns 15
+            --max-turns ${{ needs.paths-check.outputs.max_turns }}
             --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(git diff:*),Bash(git merge-base:*),Bash(cat .claude/skills/.clud-bug.json),Bash(cat .claude/skills/*/SKILL.md),Bash(head:*)"
             --json-schema '{{REVIEW_SCHEMA}}'
           prompt: |
@@ -190,7 +216,7 @@ jobs:
       # Strict-mode gate — composite action; see workflow.yml.tmpl for design notes.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.22
+        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.24
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # v0.6.22 / 0.0.O: summary now posted by github-actions[bot].

package/templates/workflow.yml.tmpl

@@ -29,6 +29,7 @@ jobs:
     outputs:
       is_workflow_only: ${{ steps.classify.outputs.is_workflow_only }}
       model: ${{ steps.classify.outputs.model }}
+      max_turns: ${{ steps.classify.outputs.max_turns }}
     steps:
       - name: Classify PR diff
         id: classify
@@ -41,8 +42,18 @@ jobs:
           CHANGED=$(gh pr diff "$PR_NUMBER" -R "$REPO" --name-only)
           MODEL=claude-sonnet-4-6   # default
           if [ -z "$CHANGED" ]; then
-            echo "is_workflow_only=false" >> "$GITHUB_OUTPUT"
-            echo "model=$MODEL" >> "$GITHUB_OUTPUT"
+            # v0.6.23 / §5: max_turns must always be emitted because
+            # clud-bug-review runs (is_workflow_only=false). Without
+            # this, --max-turns $-{{ ... }} expands to '--max-turns '
+            # (empty), failing the CLI invocation. Empty-CHANGED fires
+            # on gh pr diff auth/network failures + the (theoretical)
+            # no-changed-files PR. Grouped redirect (v0.6.24) silences
+            # the SC2129 style warning.
+            {
+              echo "is_workflow_only=false"
+              echo "model=$MODEL"
+              echo "max_turns=15"
+            } >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
@@ -102,6 +113,38 @@ jobs:
           fi
           echo "model=$MODEL" >> "$GITHUB_OUTPUT"
 
+          # --- (c) adaptive max-turns (v0.6.23 / §5) ---
+          # Scope-based turn budget so large PRs (many files OR many prior
+          # unresolved threads to walk in FIX-PUSH FLOW) don't exhaust the
+          # default 15-turn budget. Concrete failure that motivated this:
+          # tokenomics PR #18 (23 docs files + 6 prior claude[bot] threads)
+          # exhausted the cap under v0.6.12 AND under v0.6.22's
+          # structured-output flow.
+          #
+          # Buckets:
+          #   Trivial (Haiku) → 10
+          #   Standard (<10 files AND <3 prior threads) → 15 (current default)
+          #   Larger (≥10 files OR ≥3 prior threads) → 25
+          #   Very large (≥30 files OR ≥6 prior threads) → 40
+          MAX_TURNS=15
+          if [ "$IS_TRIVIAL" = "true" ]; then
+            MAX_TURNS=10
+          else
+            FILE_COUNT=$(echo "$CHANGED" | wc -l | tr -d ' ')
+            # Count unresolved claude-bot threads. Best-effort: rate-limit
+            # or auth failures default to 0 (no escalation, fall back to
+            # file-count tier).
+            THREAD_COUNT=$(gh api graphql -f query='{repository(owner:"'"$(echo "$REPO" | cut -d/ -f1)"'",name:"'"$(echo "$REPO" | cut -d/ -f2)"'"){pullRequest(number:'"$PR_NUMBER"'){reviewThreads(first:50){nodes{isResolved comments(first:1){nodes{author{login}}}}}}}}' --jq '[.data.repository.pullRequest.reviewThreads.nodes[] | select(.isResolved == false and (.comments.nodes[0].author.login == "claude" or .comments.nodes[0].author.login == "claude[bot]"))] | length' 2>/dev/null || echo 0)
+            THREAD_COUNT=${THREAD_COUNT:-0}
+            if [ "$FILE_COUNT" -ge 30 ] || [ "$THREAD_COUNT" -ge 6 ]; then
+              MAX_TURNS=40
+            elif [ "$FILE_COUNT" -ge 10 ] || [ "$THREAD_COUNT" -ge 3 ]; then
+              MAX_TURNS=25
+            fi
+            echo "::notice title=Clud Bug 🐛::Turn budget: $MAX_TURNS ($FILE_COUNT files, $THREAD_COUNT prior unresolved claude threads)."
+          fi
+          echo "max_turns=$MAX_TURNS" >> "$GITHUB_OUTPUT"
+
   clud-bug-review:
     needs: paths-check
     if: needs.paths-check.outputs.is_workflow_only != 'true'
@@ -114,6 +157,15 @@ jobs:
       # the GitHub Checks API for any skill in .clud-bug.json's strictSkills
       # list (BB.3, v0.5.10+). No-op when strictSkills is unset.
       checks: write
+      # v0.6.23 attempted to add `actions: read` here for the github_ci
+      # MCP server bundled with claude-code-action. v0.6.24 backed it
+      # out: on private consumer repos the `pull_request` trigger
+      # silently stopped firing the workflow after the permissions
+      # block changed (validated against tokenomics — public agent-skills
+      # kept firing, private tokenomics/rezgen did not). claude-code-action
+      # warns about the missing `actions: read` but reviews still run
+      # correctly. Re-add via a separate path once we understand the
+      # private-repo trigger-registration semantics.
 
     steps:
       - uses: actions/checkout@v6
@@ -229,7 +281,7 @@ jobs:
           # this template at `clud-bug init` time via {{REVIEW_SCHEMA}}.
           claude_args: |
             --model ${{ needs.paths-check.outputs.model }}
-            --max-turns 15
+            --max-turns ${{ needs.paths-check.outputs.max_turns }}
             --allowedTools "mcp__github_inline_comment__create_inline_comment,Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh api graphql:*),Bash(gh api repos/:*),Bash(git show:*),Bash(git diff:*),Bash(git merge-base:*),Bash(cat .claude/skills/.clud-bug.json),Bash(cat .claude/skills/*/SKILL.md),Bash(head:*)"
             --json-schema '{{REVIEW_SCHEMA}}'
           prompt: |
@@ -290,7 +342,7 @@ jobs:
       # Letting the action's own failure fail the check is louder and right.
       - name: Strict mode — fail check on critical findings
         if: success()
-        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.22
+        uses: thrillmade/clud-bug/.github/actions/strict-mode-gate@v0.6.24
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           # v0.6.22 / 0.0.O: the summary is now posted by the workflow